Editing Traffic accounting with iptables
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | Suppose you need to know how much traffic | + | Suppose you need to know how much traffic VPS eats. It can be easily done |
using iptables. | using iptables. | ||
== Situation description == | == Situation description == | ||
− | + | Lets consider the very simple situation: one VPS with one IP address on Hardware Node (HN) | |
− | with only one | + | with only one interface. To be more exact assume that VPS id is <tt>200</tt>, ip address of the HN |
− | is <tt>192.168.0.56</tt>, | + | is <tt>192.168.0.56</tt>, interface name is <tt>eth0</tt>, ip address of VPS is <tt>192.168.0.117</tt>. |
− | + | And you wish to know how much bytes 200th VPS eats. One more assumption that ther is no iptables rules | |
− | |||
on HN now. All these assumption are only for clarity! | on HN now. All these assumption are only for clarity! | ||
== Solution == | == Solution == | ||
− | Almost any | + | Almost any trafic that goes to and from vps can be catched from FORWARD chain of iptables module in VE0, |
thus we add such rules: | thus we add such rules: | ||
<pre> | <pre> | ||
Line 17: | Line 16: | ||
# iptables -A FORWARD -d 192.168.0.117 | # iptables -A FORWARD -d 192.168.0.117 | ||
</pre> | </pre> | ||
− | It means that all traffic forwarded to | + | It means, that all traffic forwarded to ip 192.168.0.117 and from ip 192.168.0.117 will be accounted. |
− | To obtain current traffic usage of | + | To obtain current traffic usage of VPS you can give the command: |
<pre> | <pre> | ||
# iptables -nv -L FORWARD | # iptables -nv -L FORWARD | ||
Line 26: | Line 25: | ||
15 1052 all -- * * 0.0.0.0/0 192.168.0.117 | 15 1052 all -- * * 0.0.0.0/0 192.168.0.117 | ||
</pre> | </pre> | ||
− | + | "Bytes" column is the column we need. It's worth to say, that restarting VPS doesn't affect accounting, | |
− | it remains right. But if you restart your | + | it remains right. But if you restart your node all rules and consequently statistics are droped. So it's |
− | So it | + | recomended to run some cron job that dumps statistic on hard drive and also add init script that creates |
− | + | iptables rules on HN start. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | As is easy to see, it's not per | + | As is easy to see, it's not per VPS statistic, but rather per IP statistic. Thus you must be carefull |
− | then changing | + | then changing IPs of VPSs, otherwise you'll get mess of results. |
− | + | Saing "almost any trafic", I mean, that traffic between VE and and VE0 isn't accounted by rules above. Don't know | |
− | + | can it be useful for anybody, but to account such traffic these rules pass: | |
<pre> | <pre> | ||
iptables -I INPUT 1 -i venet0 -d 192.168.0.117 | iptables -I INPUT 1 -i venet0 -d 192.168.0.117 | ||
iptables -I OUTPUT 1 -o venet0 -s 192.168.0.117 | iptables -I OUTPUT 1 -o venet0 -s 192.168.0.117 | ||
</pre> | </pre> | ||
− | |||
To observe results: | To observe results: | ||
<pre> | <pre> | ||
− | # iptables - | + | [root@dhcp0-56 traffic_accounting]# iptables -nv -L INPUT |
Chain INPUT (policy ACCEPT 542 packets, 63745 bytes) | Chain INPUT (policy ACCEPT 542 packets, 63745 bytes) | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
35 4533 all -- venet0 * 0.0.0.0/0 192.168.0.117 | 35 4533 all -- venet0 * 0.0.0.0/0 192.168.0.117 | ||
− | # iptables - | + | [root@dhcp0-56 traffic_accounting]# iptables -nv -L OUTPUT |
Chain OUTPUT (policy ACCEPT 247 packets, 27847 bytes) | Chain OUTPUT (policy ACCEPT 247 packets, 27847 bytes) | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
Line 63: | Line 54: | ||
# iptables -Z | # iptables -Z | ||
</pre> | </pre> | ||
− | The disadvantage is that | + | The disadvantage is that doing this way you zero all counters in all rules. If it's undesrable for you, |
you can just replace the rule with the same rule: | you can just replace the rule with the same rule: | ||
<pre> | <pre> | ||
− | # iptables - | + | [root@dhcp0-56 traffic_accounting]# iptables -nv -L FORWARD |
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes) | Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes) | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
44 5151 all -- * * 192.168.0.117 0.0.0.0/0 | 44 5151 all -- * * 192.168.0.117 0.0.0.0/0 | ||
57 5564 all -- * * 0.0.0.0/0 192.168.0.117 | 57 5564 all -- * * 0.0.0.0/0 192.168.0.117 | ||
− | # iptables -R FORWARD 1 -s 192.168.0.117 | + | [root@dhcp0-56 traffic_accounting]# iptables -R FORWARD 1 -s 192.168.0.117 |
− | # iptables - | + | [root@dhcp0-56 traffic_accounting]# iptables -nv -L FORWARD |
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes) | Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes) | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
Line 82: | Line 73: | ||
Well, now, when we know how to work in the easiest case, we'll try to understand what to do in | Well, now, when we know how to work in the easiest case, we'll try to understand what to do in | ||
more complicated situations. | more complicated situations. | ||
− | + | * More than one VPS on the node | |
− | + | Just add the rules like above for each VPS's IP. | |
− | + | * More than one IP per VPS. | |
− | + | For each IP add the rules like above. When counting the complete traffic | |
− | + | of VPS you have to summarize over all IPs that this VPS owns. | |
− | + | * More interfaces on the HN. | |
− | + | Nothing to do! :) | |
− | |||
− | |||
== Scripting == | == Scripting == | ||
− | + | As you see this way can be time-consuming in case of big amount of VPSs. | |
− | + | So if anybody has scripts that automate all the process - you are welcome! | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | As you see this way can be time-consuming in case of | ||
− | |||
− | So if anybody has scripts that automate all the process | ||
− | |||
− | |||
− | |||
+ | [[Category: HOWTO]] | ||
[[Category: Networking]] | [[Category: Networking]] | ||
− |